Google exposed the personal information of hundreds of thousands of users of its Google+ social network, the company announced in a blog post this morning. The news, originally reported by The Wall Street Journal ahead of Google’s announcement, means that Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public. However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it. The bug, affecting an API that was accessed by hundreds of developers, appears to have been active between 2015 and 2018.
The company says it closed the bug in March 2018 shortly after learning of its existence. The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident. At the time, Facebook had just publicly disclosed that data mining firm Cambridge Analytica had illegally purchased tens of millions of users’ profile information from a third-party app maker, who had gleaned that information from people who logged into a personality quiz and inadvertently granted the app access to their friends list.
Google says it discovered the bug as part of an effort called Project Strobe, which was launched to “review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access,” according to Ben Smith, the blog post author and a vice president of engineering. As a result of the bug, the company is shutting down the consumer-facing element of Google+, noting that 90 percent of sessions lasted less than five seconds. About 500,000 user profiles were affected by the bug, Smith notes.
In the post, Smith gives a rationale for not disclosing the bug earlier:
Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
The Google+ shutdown will take place over the course of the next 10 months, concluding in August of 2019. It still plans to make Google+ available as an enterprise product for companies, which is a curious move for a product that had a massive, exploitable bug built into a core API for three years. “We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days,” Smith writes.
Update 10/8, 2:45PM ET: Added Google’s rationale for not disclosing the bug earlier.